提交 a7f2a366 编写于 作者: M Mimi Zohar

ima: fallback to MODULE_SIG_ENFORCE for existing kernel module syscall

The new kernel module syscall appraises kernel modules based
on policy.   If the IMA policy requires kernel module checking,
fallback to module signature enforcing for the existing syscall.
Without CONFIG_MODULE_SIG_FORCE enabled, the kernel module's
integrity is unknown, return -EACCES.

Changelog v1:
- Fix ima_module_check() return result (Tetsuo Handa)
Reported-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Reviewed-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: NMimi Zohar <zohar@us.ibm.com>
上级 a49f0d1e
...@@ -139,6 +139,7 @@ void ima_delete_rules(void); ...@@ -139,6 +139,7 @@ void ima_delete_rules(void);
/* Appraise integrity measurements */ /* Appraise integrity measurements */
#define IMA_APPRAISE_ENFORCE 0x01 #define IMA_APPRAISE_ENFORCE 0x01
#define IMA_APPRAISE_FIX 0x02 #define IMA_APPRAISE_FIX 0x02
#define IMA_APPRAISE_MODULES 0x04
#ifdef CONFIG_IMA_APPRAISE #ifdef CONFIG_IMA_APPRAISE
int ima_appraise_measurement(struct integrity_iint_cache *iint, int ima_appraise_measurement(struct integrity_iint_cache *iint,
......
...@@ -291,11 +291,15 @@ EXPORT_SYMBOL_GPL(ima_file_check); ...@@ -291,11 +291,15 @@ EXPORT_SYMBOL_GPL(ima_file_check);
*/ */
int ima_module_check(struct file *file) int ima_module_check(struct file *file)
{ {
int rc; int rc = 0;
if (!file) if (!file) {
rc = INTEGRITY_UNKNOWN; if (ima_appraise & IMA_APPRAISE_MODULES) {
else #ifndef CONFIG_MODULE_SIG_FORCE
rc = -EACCES; /* INTEGRITY_UNKNOWN */
#endif
}
} else
rc = process_measurement(file, file->f_dentry->d_name.name, rc = process_measurement(file, file->f_dentry->d_name.name,
MAY_EXEC, MODULE_CHECK); MAY_EXEC, MODULE_CHECK);
return (ima_appraise & IMA_APPRAISE_ENFORCE) ? rc : 0; return (ima_appraise & IMA_APPRAISE_ENFORCE) ? rc : 0;
......
...@@ -523,7 +523,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) ...@@ -523,7 +523,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
} }
if (!result && (entry->action == UNKNOWN)) if (!result && (entry->action == UNKNOWN))
result = -EINVAL; result = -EINVAL;
else if (entry->func == MODULE_CHECK)
ima_appraise |= IMA_APPRAISE_MODULES;
audit_log_format(ab, "res=%d", !result); audit_log_format(ab, "res=%d", !result);
audit_log_end(ab); audit_log_end(ab);
return result; return result;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册